analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed

Full analysis: https://app.any.run/tasks/e98e6ea8-ef61-4738-b3af-27b86b97282f
Verdict: Malicious activity
Analysis date: April 24, 2019, 23:39:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

6CA9A7224ED4E9E90BC93D651FC43F65

SHA1:

E8A12EF6FC92E5772AEFFC470F6960D8163179AD

SHA256:

E6998454B1F41205CA3E663043C0A767D833FFF568B01BC6AC99CAA6C4F449ED

SSDEEP:

49152:qkmbNLrz8WItqRkAVL3MJ3/OYhp9BOTXqz3+qK8HqgqEvZl:vm5LMWfdsvhp6azvbvZl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • uidcreator.exe (PID: 3692)

    • Loads dropped or rewritten executable

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Changes settings of System certificates

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Changes tracing settings of the file or console

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Executable content was dropped or overwritten

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Creates files in the program directory

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Creates files in the user directory

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

    • Adds / modifies Windows certificates

      • e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe (PID: 4036)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x338f
UninitializedDataSize: 2048
InitializedDataSize: 186368
CodeSize: 26624
LinkerVersion: 6
PEType: PE32
TimeStamp: 2018:01:30 04:57:48+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Jan-2018 03:57:48
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 30-Jan-2018 03:57:48
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006627
0x00006800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45224
.rdata
0x00008000
0x0000149A
0x00001600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.00708
.data
0x0000A000
0x0002AFF8
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.03532
.ndata
0x00035000
0x00026000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0005B000
0x0001BBC8
0x0001BC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.72898

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.29645
1066
UNKNOWN
English - United States
RT_MANIFEST
2
4.07244
16936
UNKNOWN
English - United States
RT_ICON
3
7.93337
11195
UNKNOWN
English - United States
RT_ICON
4
4.12089
9640
UNKNOWN
English - United States
RT_ICON
5
4.62272
4264
UNKNOWN
English - United States
RT_ICON
6
5.04001
1128
UNKNOWN
English - United States
RT_ICON
103
2.79908
90
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG
111
2.89887
238
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe no specs e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe ns787.tmp no specs uidcreator.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3156"C:\Users\admin\AppData\Local\Temp\e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe" C:\Users\admin\AppData\Local\Temp\e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
4036"C:\Users\admin\AppData\Local\Temp\e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe" C:\Users\admin\AppData\Local\Temp\e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
3192"C:\Users\admin\AppData\Local\Temp\nso767.tmp\ns787.tmp" C:\Users\admin\AppData\Local\Temp\nso767.tmp\uidcreator.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\ns787.tmpe6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3692C:\Users\admin\AppData\Local\Temp\nso767.tmp\uidcreator.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\uidcreator.exens787.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
392
Read events
360
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\ns787.tmp
MD5:
SHA256:
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\r
MD5:
SHA256:
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\INetC.dllexecutable
MD5:5E2EC70CAA4275FDF9C1E3B654CC3F32
SHA256:6237E23F5A305E075B5965393BA955D0F7BB4E0F46824F2F55AB3D3B03CFE723
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\ttac_nsis.dllexecutable
MD5:3AE37B3FC762FC91D126C703B0153B9D
SHA256:D705AE2F486A09EB64CA61A2C699A00CFCCC2E368BF18CCB906A4B2BCE21EC8B
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\uidcreator.exeexecutable
MD5:5C61D297FF7D48AD2B01E17527142633
SHA256:FC909BDD4AF5EF9831714D8D527E86475300D72D4A1853F955F254B3948FB40E
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\chst_installer_log.txttext
MD5:0FEB3F56C80952033B6FED9928A8B581
SHA256:EA00C335B66EB4106C1AE558756C0FE58A1D51CB6C08E6F5C27A4F6E31A04736
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\LogEx.dllexecutable
MD5:0F96D9EB959AD4E8FD205E6D58CF01B8
SHA256:57EDE354532937E38C4AE9DA3710EE295705EA9770C402DFB3A5C56A32FD4314
4036e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exeC:\Users\admin\AppData\Local\Temp\nso767.tmp\nsExec.dllexecutable
MD5:3D366250FCF8B755FCE575C75F8C79E4
SHA256:8BDD996AE4778C6F829E2BCB651C55EFC9EC37EEEA17D259E013B39528DDDBB6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4036
e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
POST
200
216.58.205.238:80
http://www.google-analytics.com/collect
US
image
35 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4036
e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
216.58.205.238:80
www.google-analytics.com
Google Inc.
US
whitelisted
4036
e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
62.109.13.130:443
chistilka.ru
JSC ISPsystem
RU
malicious

DNS requests

Domain
IP
Reputation
www.google-analytics.com
  • 216.58.205.238
whitelisted
config.chistilka.com
unknown
chistilka.ru
  • 62.109.13.130
malicious

Threats

PID
Process
Class
Message
4036
e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
e6998454b1f41205ca3e663043c0a767d833fff568b01bc6ac99caa6c4f449ed